State of Oregon Office of the State Treasurer 3 rd Party Service Provider Application



Similar documents
UO Third Party Credit Card Processing Request

IT04 UO ACH Security Policy

SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES

Exhibit K Official Payments Corporation Convenience Fee Services

POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS

Chapter 40 - E-Commerce: Electronic Acceptance and Disbursement of State Funds/Benefits

SCHEDULE A MODIFIED SCOPE OF SERVICES MERCHANT CARD PROCESSING SERVICES STATE OF NORTH CAROLINA AND SUNTRUST MERCHANT SERVICES

Volume PLANETAUTHORIZE PAYMENT GATEWAY. vtiger CRM Payment Module. User Guide

How To Protect Your Business From A Hacker Attack

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

FAQ s for Payment Card Processing at the University

IT TECHNICAL SECURITY REVIEW CHECKLISTS FOR E-COMMERCE WEBSITES

2.1.2 CARDHOLDER DATA SECURITY

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

D. DFA: Mississippi Department of Finance and Administration.

Merchant Account Glossary of Terms

Office of Finance and Treasury

POLICY SECTION 509: Electronic Financial Transaction Procedures

E-Market Policy Accepting Online Payment for Conducting University Business

Application for acceptance of Payment Cards by UVa Departments (5/15 BC)

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

How To Control Credit Card And Debit Card Payments In Wisconsin

Credit/Debit Card Processing Requirements and Best Practices. Adele Honeyman Oregon State Treasury Training Specialist

I. Definitions. DFA: Mississippi Department of Finance and Administration.

Payment Card Industry Data Security Standards

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

RFP#15-20 EXHIBIT E MERCHANT SERVICES INFORMATION SHEET

Standards for Business Processes, Paper and Electronic Processing

McGill Merchant Manual

Written Questions and Answers

The following information was prepared to assist you in understanding potential Electronic Value Transfer terminology.

City and County of San Francisco Office of the Treasurer-Tax Collector ( TTX )

How To Protect Visa Account Information

Attestation of Compliance, SAQ A

CITY OF SAN DIEGO ADMINISTRATIVE REGULA TION

Merchant guide to PCI DSS

PCI DSS. CollectorSolutions, Incorporated

Payment Card Industry (PCI) Data Security Standard

Request for Proposals

Payment Card Industry (PCI) Data Security Standard

Failure to follow the following procedures may subject the state to significant losses, including:

The following are responsible for the accuracy of the information contained in this document:

688 Sherbrooke Street West, Room 730 James Administration Building, Room 524

Phone: (541) FAX: (541) Web Site:

Payment Card Industry (PCI) Data Security Standard

Merchant Card Processing Best Practices

CREDIT CARD MERCHANT PROCEDURES. Revised 01/21/2014 Prepared by: NIU Merchant Services

Giving Pricing and Merchant Account Information. Monthly Billing Pricing. Additional Merchant Account Fees

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

Third Party Agent Registration and PCI DSS Compliance Validation Guide

Accepting Payment Cards and ecommerce Payments

Reliable, Low-Cost Credit Card Processing Since 1998

Registration and PCI DSS compliance validation

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

2015 Submission Requirements / Merchant Application

ACS Technologies/ServiceU Information Sheet for Credit Card and ACH/EFT

An article on PCI Compliance for the Not-For-Profit Sector

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

Fraud Protection, You and Your Bank

Attestation of Compliance for Onsite Assessments Service Providers

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

MARYLAND STATE TREASURER S OFFICE Louis L. Goldstein Treasury Building 80 Calvert Street, Room 109 Annapolis, Maryland 21401

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

John B. Dickson, CISSP October 11, 2007

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Vanderbilt University

Ball State University Credit/Debit Card Handling Policy and Procedures

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

4/13/2016. Cash Handling & Deposits Informational Session Presented by Wendall Ho. Contact Information. Staff. Financial Management Office

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Information Technology

ODPS/BMV RFP QUESTIONS AND ANSWERS. October 5, 2015

Payment Card Industry (PCI) Data Security Standard

Third-Party Access and Management Policy

Key USP s. Multiple PCI level GRC tool

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Merchant Card Processing Request Form

PCI Data Security Standards

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

Payment Card Industry (PCI) Data Security Standard

THIRD PARTY AGENT REGISTRATION PROGRAM

Insurance-Specific Payment Services Requires Insurance Industry Knowledge

UTAH VALLEY UNIVERSITY Policies and Procedures

<COMPANY> P07 - Third Parties Policy

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

How To Protect Your Credit Card Information From Being Stolen

An Education in Merchant Processing

PCI DSS & 3 RD PARTY SERVICE PROVIDERS

PCI Compliance: Protection Against Data Breaches

SECTION 509: Payment Card and Electronic Funds Transfer (EFT) Procedures

Prepared by Treasury Office. This is a new policy. A8.711 September 2009 A8.700 TREASURY. P 1 of 5. A8.711 Electronic Payments via University Websites

American Express and Discover are proprietary entities performing the functions of both a card association and an issuing bank.

EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES

Validation of PCI Compliance Requirements NC Office of the State Controller June 23, 2015

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

TREASURER S DIRECTIONS CASH MANAGEMENT BANKING Section C2.1 : Central Banking Arrangements

Transcription:

State of Oregon Office of the State Treasurer 3 rd Party Service Provider Application As documented in Oregon State Treasury s Cash Management Policy 02 18 14.PO, the Office of the State Treasurer (OST) maintains an application process for Service Providers who wish to provide credit/debit card and Automated Clearing House (ACH) transaction storage, processing, and/or transmission services to state agencies and organizations. Current and prospective 3 rd Party Vendors providing these services are directed to complete this form. The purpose of this prequalification process for 3 rd parties providing financial transaction processing services to State of Oregon Agencies is to understand a 3 rd party s conformance with State of Oregon laws and banking requirements, the Payment Card Industry Data Security Standards (PCI DSS), and the National Automated Clearing House Association (NACHA) Operating Rules. Section A. Company Name Service Provider Information Company Address Company Website (Note: if a detailed description of your company is not available on-line, please attach marketing materials) Contact Name (Note: Contact should be person in your organization who can answer questions about your organizations responses to this application.) Contact Title Contact Phone Contact E-mail 1

A.1. Service Provider Business Narrative All Service Providers should prepare a narrative that describes their business, relationship to card and bank account data, and the ways in which that financial data is received from end-customers or third-party businesses. Please provide responses to the following. Explain specifically how your service and/or application will be used by a State organization to process financial transactions. Years in Operation Approximate volume of credit cards and/or ACH transactions processed annually. Name of Merchant Bank/Processor used to process cardholder data and/or ACH transactions. Describe how cardholder data and/or bank account information can be accepted for processing through your solution, e.g., Point of Sale (POS), Integrated Voice Response (IVR), Fax, Website, Mail Order or Telephone Order (MOTO), Mobile, Other. A.2. Payment Flow Diagram All Service Providers should maintain logical diagrams of their payment card and ACH processing environments. These diagrams should illustrate all areas where payment card and/or bank account data is accepted, stored, transmitted, and processed. The diagram that is included in Exhibit A depicts an example of a PCI compliant payment flow diagram for TJ s Pet Supply, a fictional pet supply retailer. Please provide a copy of a Payment Flow Diagram reflecting the flow of cardholder and/or bank account data via your solutions from the time it is key entered by staff or a customer to the time it is settled and deposited to a state organization s bank account. The diagram must clearly reflect the organization or party responsible for maintaining and securing each component of the infrastructure included in the diagram. A.3. Summary of Software/Hardware Information Provide the name of all of the software (include version #) and hardware through which financial transaction data is entered, transmitted, processed and/or stored as listed in the Payment Flow Diagram. 2

Section B. Protection of Customer Information To pre-qualify as a Service Provider for the State of Oregon for processing financial transactions, the organization must show that they comply with the PCI DSS for processing cardholder data, applicable NACHA rules for processing bank account information, and Oregon s Identity Theft Protection Act. B.1. Payment Card Industry Data Security Standards (PCI DSS) Service Provider must be listed on Visa s and/or MasterCard s website as a compliant service provider in good standing for credit/debit card transactions. Please complete the following: Company is a Level Service Provider (Service Provider levels are defined on Visa s website see usa.visa.com) Company is listed as a CISP/PCI Compliant Service Provider on Visa s and/or MasterCard s website under the following name: Certification Date: OR Company has completed a PCI Data Security Assessment validating compliance with PCI Data Security Standards, which is currently under review for inclusion on Visa s and/or MasterCard s website. For verification purposes, please provide the following: Qualified Data Security Company Primary Contact Name Primary Contact Number/e-mail Date Assessment was Completed Please provide the following: A copy of the PCI DSS Attestation of Compliance (AOC) completed and signed by your Qualified Security Assessor (QSA) with your completed application. 3

B.2. NACHA Rules Electronic check processing must comply with NACHA Operating Rules and Security Requirements. OST expects the Service Provider to document in the contract with an agency that the Service Provider will comply with the applicable NACHA Rules and associated security requirements. B.3. Identify Theft Protection Act All financial transactions are subject to Oregon s Consumer Identity Theft Protection Act. OST expects the Service Provider to document in the contract with an agency that the Service Provider understands and describes how they will comply with the Oregon Identify Theft Protection Act. 4

Section C. State of Oregon Requirements C.1. 3 rd Party Vendor Fees OST does not allow any organization to debit State bank accounts by ACH for fees; therefore, to pre-qualify as a 3 rd Party Vendor, you or another organization working on your behalf (e.g. resellers) must agree to invoice the state organization for fees associated with the services you are providing. State organizations have the ability to make payments to your organization electronically by ACH or by check. Checking this box indicates that you or another organization working on your behalf will invoice state organizations for fees associated with the services you provide. List all the parties involved in the fee process and describe how the fees will be collected: C.2. Relationship between Vendor and State Organization If your company is working on behalf of a state organization (collects moneys on behalf of the State organization via an agreement with a State agency), then the funds received by your company are considered public funds as soon as they are settled/received by your company. Processing of public funds must comply with ORS 293.265 and ORS 295, and deposits must be made directly into a State Treasury account. ORS293.265 (1) states in part: It shall be the duty of the officer or other person or agent collecting, receiving, in possession of, or having the control of any state money or other funds, contributions or donations collected or received by, and to be expended by or on behalf of the state under the approval or supervision of any state officer, board, commission, corporation, institution, department or other state organization, recognized by the laws of this state and having the power to collect and disburse state funds, to turn over all such moneys mentioned in this section collected or received by or on account of such sate officer, board, commission, corporation, institution, department or other state organization, to the State Treasurer not later than one business day after collection or receipt thereof. ORS 295.002 provides: that each public official shall deposit public funds in the custody or control of the public official in one or more depositories currently qualified pursuant to ORS 295.001 to 295.108. Department of Justice has advised agencies that moneys over which a state agency has contractual control, even though it does not have custody of the moneys, are public funds. For example, if an agency contracts with a third party to hold, manage or collect moneys on behalf of the agency or an agency directs through its contract how moneys may be used in order to fulfill an obligation of the agency, such moneys are probably public funds. Contracts with third party administrators, grant recipients, escrow agents or persons collecting moneys for a state agency frequently involve public funds issues. If a contract involves public funds that are held and deposited by a third party, the contract should include language that requires the contractor to deposit the moneys in a 5

qualified bank depository as defined in ORS 295.001. The contract should also require the contractor to indentify the funds on the records of the bank as held for the benefit of, or on behalf of, the agency so that the moneys may be collateralized as public funds under ORS 295.015. The purpose of ORS chapter 295 is to provide collateral for public funds deposits in the event of a bank's insolvency. Related Links: http://www.leg.state.or.us/ors/293.html http://www.leg.state.or.us/ors/295.html http://www.ost.state.or.us/divisions/finance/cashmanagement/policy/2 18 14.3rd.Party.Vendor.pdf http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-serviceproviders.pdf http://usa.visa.com/download/merchants/validated_payment_applications.pdf https://www.pcisecuritystandards.org/security_standards/vpa/ Please answer the following: Will your organization be providing services on behalf of a state organization? o Yes or No Note: it is very rare that a Service Provider would actually be working on behalf of an agency s customers rather than on behalf of the agency. If you answered No to the question above, OST recommends that the agency have their attorney review the contract to clarify the relationship between the 3 rd party and the agency to ensure compliance with ORS 293.265 and ORS 295, if applicable. If you answered No to a. above, go to Section D; otherwise, respond to questions in Section C.3 through C.5 indicating how your organization will comply with the state s depository requirements. C.3. Merchant ID Requirements Credit/Debit card transactions must be deposited directly into a state account using a U.S. Bank/Elavon issued Merchant ID when they are settled after end-of-day processing. Will your organization deposit credit/debit card funds directly into a state account using a U.S. Bank/Elavon issued Merchant ID? o Yes or No C.4. ACH Transaction Posting Requirements ACH transactions must be processed using a State of Oregon issued Company ID and Name and must post to State agency and customer/receiver bank accounts on the effective date of the transaction, e.g., the transaction must credit the agency account on the same day that it debits an agency s customer s account. 6

Will your organization use a state- issued Company ID and Name provided to you by the state agency to process ACH transactions on their behalf, and never deposit the funds into your organization s bank account? o Yes or No C.5. Merchant Bank Processor Requirements All credit/debit card transactions processed on behalf of agencies must process through Elavon or TSYS. Please complete the following section indicating if you are certified to process directly with or use a gateway to process through Elavon or TSYS. OR Your company is certified and processes directly with: Elavon (formerly Nova) and/or TSYS (formerly Vital) Your company uses a PCI-compliant payment application/gateway to process through: Elavon (formerly Nova) and/or TSYS (formerly Vital) Please provide a list of the payment applications your service uses to process through Elavon and/or TSYS. Note: the payment application under consideration for use by the State Agency must be included in the payment flow information requested in Section A.2. 7

D. Certification By signing this document you certify that your answers are complete and correct to the best of your knowledge, you have not deceived or attempted to deceive the examiners of this questionnaire, and are confident the answers you provided accurately reflect your corporation's or organization's actual practices, policies, and procedures. X Name: Title: Date: E. Submission and Processing of Prequalification Form 1. If you have any questions regarding this form, please contact the Office of the State Treasurer s Cash Management Policy and Planning Manager at (503) 373-7312. 2. Print this form and complete all sections. If a section does not apply to the service you are providing, mark the section N/A. If required, attach documentation. 3. Mail the completed form and any required documentation to: Office of the State Treasurer Attn: Cash Management Policy and Planning Manager 350Winter Street NE, Suite 100 Salem, OR 97301-3896 4. Please allow 2-4 weeks for processing. 8

Exhibit A: Sample Payment Flow Diagram 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information